Cybercriminals Leverage Microsoft .NET MAUI for Advanced Android Malware
In a concerning trend, cybercriminals are increasingly utilizing Microsoft’s .NET MAUI framework to develop sophisticated Android malware that effectively circumvents security protocols, evades detection, and compromises user data. This revelation comes from a recent study conducted by McAfee researchers, who have identified a surge in malicious applications crafted using this cross-platform app development tool, which was introduced in May 2022.
While .NET MAUI offers legitimate developers the appealing feature of a “write once, run anywhere” approach, it also provides a fertile ground for the creation of harmful software. The malicious applications often masquerade as legitimate offerings from trusted sources, particularly financial institutions, and are typically distributed through third-party websites or alternative app stores, bypassing the Google Play Store entirely.
Among the variants identified by McAfee, one particularly alarming example is an application that impersonates the official IndusInd Bank app, specifically targeting users in India. This counterfeit app prompts unsuspecting victims to divulge sensitive personal and financial information, including names, phone numbers, and banking credentials. Another variant, aimed at Chinese-speaking users, disguises itself as a social networking service, with the intent to extract contacts, SMS messages, and photos from compromised devices.
What sets these malicious applications apart from traditional Android malware is their subtlety. According to McAfee, “Unlike typical malicious apps, there are no obvious traces of harmful code in the Java or native code.” Instead, the harmful components are cleverly concealed as blob files within the assemblies directory, hidden away as binary large object files within the fundamental .NET logic unit, eluding detection by many antivirus solutions.
Moreover, the hackers employ a technique known as multi-stage dynamic loading to further obscure their malicious intent. This process involves loading the Android executable file in three distinct stages: a loader for the second stage that obfuscates the true executable, followed by the loading of the .NET MAUI-developed malicious code. Each stage remains encrypted until it is executed, complicating efforts to identify the threat.
In addition to these tactics, the attackers manipulate the AndroidManifest.xml file by incorporating an excessive number of permissions, often consisting of randomly generated strings. This strategy can lead to errors in certain analysis tools, making it more difficult for security measures to flag the application as malicious. The AndroidManifest.xml file is crucial for defining the app’s structure, components, and requirements, and its manipulation adds another layer of complexity for security analysts.
Another method employed to evade detection involves replacing standard HTTP requests with encrypted TCP socket connections, which effectively prevents security software from intercepting and analyzing the malicious traffic. As these techniques become more prevalent, researchers caution that the landscape of mobile malware is likely to evolve, with an expectation of increased deployment of similar tactics in the future.
